BEA WebLogic SSL CA-signed certificate spoofing

weblogic-ca-certificate-spoofing (11985)

Medium Risk

Description:

BEA WebLogic could allow a remote attacker to spoof a CA-signed (Certificate Authority) certificate and perform a man-in-the-middle attack against an unsuspecting user, caused by improper handling of SSL certificates. An attacker could use this vulnerability to spoof trusted Web sites, digitally signed emails, certificate-based authentication, and Authenticode signatures.

Platforms Affected:

• BEA, Tuxedo 8.0
• BEA, Tuxedo 8.1
• BEA, WebLogic Enterprise 5.0.1
• BEA, WebLogic Enterprise 5.1
• BEA, WebLogic Server 5.1 Express
• BEA, WebLogic Server 5.1
• BEA, WebLogic Server 6.1
• BEA, WebLogic Server 6.1 Express
• BEA, WebLogic Server 7.0
• BEA, WebLogic Server 7.0 Express
• BEA, WebLogic Server 7.0.0.1
• BEA, WebLogic Server 7.0.0.1 Express

Remedy:

For WebLogic Server and Express 7.0 or 7.0.0.1:
Upgrade to Service Pack 2 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Server and Express 6.1:
Upgrade to Service Pack 5 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Server and Express 5.1:
Upgrade to Service Pack 13 or later and apply the CR090101_src510 patch, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Enterprise 5.1:
Apply the Rolling Patch 145 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Enterprise 5.0:
Apply the Rolling Patch 59 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Tuxedo 8.1:
Apply the Rolling Patch 12 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

For WebLogic Tuxedo 8.0:
Apply the Rolling Patch 166 or later, as listed in BEA Systems, Inc. Security Advisory BEA03-31.00. See References.

Consequences:

Bypass Security

References:

• BEA Systems, Inc. Security Advisory (BEA03-31.00), Patches available to prevent invalid SSL certificate chain vulnerability at http://dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-31.jsp.

Reported:

May 12, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page